Blackmail, bitcoin and bomb threats for club owners

An international blackmail campaign took place yesterday. We are aware of a few club owners in big cities in Poland and Germany (and probably some other countries) who got the following messages:

Subject: Attention

Attention. If you not the chief head urgently send this letter to a management. Not to bear responsibility for consequences.

You are welcomed by Erik. I report that your club got to our attention.

Now concerning your club we will begin the attack. In police of your region calls that your club is mined will begin to arrive. They will arrive during the maximum load of your club. In the evening days off. When at you many people have a rest. It means that the police will close your club in the heat of parties. The police will evacuate all people, to evacuate all machines, to completely check the building. Your club won’t work several hours.

When it occurs for the first time it can seem to your guests interesting. When it occurs for the second time it will cease to be pleasant to people. When it occurs several times for short time people will begin to be afraid to come to your club. The police has no right to ignore messages on the planted bomb. Therefore after each our message your club will cease to work several hours in the most visited time because of evacuation.

You can avoid the attack only in one case. You need to pay 25 bitcoins (BTC) on an e-wallet 1CKA47RGboJ6cc1NDmi8wfKXBS6rW7tJut. On payment at you 72 hours from the moment of receipt of this letter. How to use bitcoin you will find in search systems. If from you there is no payment in the specified time we will begin attack to your club. The payment amount will grow to 250 bitcoins. The attack will continue until you don’t pay 250 bitcoins. Or so far people won’t cease to visit you. Therefore in your interests to pay 25 bitcoins within 72 hours and to work quietly.

We warn that the appeal to police will only complicate a situation for you. We are professionals and provided the anonymity. We have a prepared call center. If payment in the specified time from you doesn’t arrive in police calls about a mining of your club will begin to arrive. The police won’t help you in any way.

We guarantee that we after payment will forget about you forever. We are professionals and we observe the guarantees always. It is not a joke and not a draw. You can be convinced of it. In search engines there is enough information on numerous evacuations in December, 2016 of shopping centers and retail chain stores in Lithuania or Estonia for example. It is our work.

We recommend to observe absolute secrecy of the events. By experience it not in your interests.

The messages were sent from the address of [email protected] and signed “Erik Wei”. The text looks like it was produced by some kind of machine translation, but it might have been obfuscated this way to make linguistic analysis harder. In short:

extortionists target dance/night clubs

threaten to cause trouble by calling with false bomb alarms, resulting in club evacuation during busy hours

demand 25 BTC within 72 hours

ransom grows to 250 BTC once attacks begin

attacks in Lithuania and Estonia are quoted as examples

We did investigate similar threats in other countries in the recent months and indeed there are some similarities:

December 21, 2016 in Latvia the Riga Plaza shopping mall is evacuated again, together with multiple Prisma supermarket chain shops across the country

December 23, 2016, again Riga Plaza evacuated

December 24, 2016, and once more Riga Plaza evacuation takes place

December 25, 2016, this time Galerija Azur shopping centre evacuated in Riga

December 28, 2016, supermarket chain Rimi evacuated across the country in Estonia

Shortly after Latvian police organised a press conference about those events and said that the attacks took place in 5 different countries and blackmailers used electronic means of communication.

One can only imagine the damage done by daily shopping mall evacuation in the days just before Christmas.

We have no proof of correlation between Estonian / Latvian attacks and the email sent to club owners yesterday. As far as we know, at least in two cases the message sent yesterday featured the same bitcoin wallet address (by the way it is still empty and has no record of previous transactions). This means that even if some of the club owners pay up, the extortionists won’t be able to tell which club decided to pay, therefore the claims from the messages seem to be just an opportunistic attempt at some easy money. In any case, if you received such a threat, let the police know and don’t pay the ransom.